Cant get my domain setup with cloudflares origin server ssl certificate
Lets summarize my problem:
1) My domains SSL is working fine with non proxied DNS records and Letsencrypt.
As soon as I proxy my DNS records, I get a ERR_SSL_VERSION_OR_CIPHER_MISMATCH warning in all the browsers I have tested.
2) My domains SSL is working fine with nonproxied and proxied DNS records and Cloudflare-Universal-SSL Certificate.
3) My domains SSL is not working with Cloudflare Origin Server Certificate and proxied DNS records. If the DNS records are not proxied, I can see, that the Origin Server Certificate gets loaded, but not trusted, which should be normal, as this only works with enabled proxy DNS.
As soon as I enable the DNS proxies, I get an instand ERR_SSL_VERSION_OR_CIPHER_MISMATCH.
I can ping the domain and get the cloudflare IPv4 and IPv6 back, but websitecontent will not load at all, as the ERR_SSL_VERSION_OR_CIPHER_MISMATCH is present.
What I did is : I paused cloudflare a couple of times for more then 24h now, as this should solve this issue and is the only answer I got so far, but this doesn't fix it. SSL/TLS is of course set to Full (strict) as mentioned in the SSL documentation on Cloudflare.
Also to mention that my DNSSEC Authentication Chain is without any error!
My Origin Server Certificate is uploaded correctly to my webserver (Plesk), with PRIVATE KEY, the CERTIFICATE and the *-ca.crt (downloaded from cloudflare).
All traffic is redirected to HTTPS (via Plesk an Cloudflare). No edge certificates are active (universal SSL is off), as I want to use only Cloudflares Origin SSL.
DNS for my mail still runs over a non proxied DNS entry, which works flawless.
And I also would like to mention just for reference, that I am on Plesk Obsidian (latest version) with OpenSSL 3.0.15 3 Sep 2024 (Library: OpenSSL 3.0.15 3 Sep 2024).
I'd really appreciate some help with this, as I fumble with it for quite a while now. Thx in advance!
19 Replies
Just another question: What do I have to expect when I create an origin certificate in cloudflare and install it on my server? Does this show up as a cloudflare certificate in my browser (as unproxied) or as for example a google certificate (proxied and valid for 3 months). So that it is shown valid for 3 moent in my browser has nothing to do with the validation for 15 years on cloudflares site? Does it mean it will autorenew every 3 month for 15 years?
Maybe I was expecting something completely wrong.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH when proxied is because you don't have any certificates in Cloudflare able to handle the traffic. You can see from your screenshots universal ssl is disabled when it should be enabled
Any other reason that it would fail to issue could be due to misconfiguration/domain issues, only possible to diagnose with the domain name
hi, thanks for the reply
Origin Certs only work proxied, as you note they aren't trusted by Browsers, only proxy. You'd see the Universal Edge Cert on connecting which will automagically renew every ~3 months or so, and you'd only have to renew your origin cert after 15 years if that's the expiration you picked yea
my thinking was, that universal SSL is only for Edge Certificates and has to be turned off when unsing an origin certificate
I guess now I understand, that also with an origin certificate universal SSL has to be enabled
nah, origin certs only work because you'd have proxy enabled and an edge cert to step in and encrypt traffic to the browser with a trusted cert
and that the cloudflare ssl does not show up with the name cloudlfare in the certificate
Origin <- Origin Cert (Trusted only by proxy) -> Proxy <- Edge Cert (issued by trusted authority, managed by cf) -> Browser
not always true
I expected to see a certificate with the name cloudflare, valid for 15 years
not a certificate issued by W1 google
yea you wouldn't see that with proxy enabled as that's not the edge cert/Browsers don't even trust certs longer then 1yr
That's a GTS cert yea. CF uses multiple different certificate authorities, they have in the past had (Digicert) and have now (via ssl.com) Edge Certificates that show as issued by them/as the intermediary though. It wouldn't say "origin certificate" as part of it though
the origin certificate is installed on my plesk server, and if I disable the certificate there, the site loads with an DNS error, which is expected then
Thanks for clarifying this to me
Just saying going off "is Cloudflare part of the issuer" isn't a reliable indicator of it being an origin cert, could still be a edge cert
This is the certificate I upladed in plesk for the domain
Unproxied I see this
of course not secured
and proxied and with universal ssl enabled I see the trusted connection issued (Scrennshot above) with google trust service
So this will automatically renew every 3 months, without having me to change any settings at DNS level or without clicking any renewing confirmations via e-mail, right?
yup, 3 month certs renew sooner then that though, usually a month out (so every 2)
but it will last for the 15 years the origin is signed?
The Origin Cert will yea, and CF will keep trusting that one when connecting to origin
fine
i still use letsencrypt for all the mailtraffic
I sill have the _acme-challenge for Letsencrypt in my DNS so that this also can autorenew
ona as NS _acme-challenge www.domain.xx
and one as TXT _acme-challenge ---letsencrypttoken---
this helped me very quickly
Unfortunately no one ever mentioned in my previous postings at cloudlfare community with this essential information, that the cloudflare certificate does not show up the same way it does when laoded unproxied
I really appreciated your input! Thanks a lot.
I mark this as solved